DDoS Attacks on Banks: No Break In Sight

Phase 3 of Hacktivist Attacks Shows No Sign of Ending

Hacktivists' attacks on U.S. banking institutions are now in the eighth week of their third phase, making this phase, which launched March 5, the longest since Izz ad-Din al-Qassam Cyber Fighters waged its first campaign last year.

Some experts on distributed-denial-of-service attacks now say they don't anticipate the hacktivists will take a break as they did after the two previous campaigns. The first phase of attacks lasted six weeks; the second phase ran seven.

Attacks during the third phase have strengthened and diversified, and they've proven to be effective at taking online-banking sites offline, experts say. Greg Garcia, cyber-attack adviser and spokesman for the Financial Services Information Sharing and Analysis Center, is concerned that criminal groups and others not affiliated with Izz ad-Din al-Qassam Cyber Fighters will wage malicious strikes that coincide with the hacktivists' attacks to perpetrate fraud.

"Observers should expect that some of these [attacks] are opportunistic 'copycat' attacks, and that criminals are readily sharing information with one another to compare what works and to tinker with new techniques," Garcia says. "Members of the financial sector also share information robustly in our community, and we're deploying our best tools, expertise and collaboration to anticipate incoming attacks and stop them before they occur. Some attacks succeed; many do not; and we're working every day to raise our success rate and lower theirs."

More Attacks Planned

On April 23, Izz ad-Din al-Qassam Cyber Fighters, which claims it's attacking U.S. banking institutions in protest of a YouTube movie trailer deemed offensive to Muslims, said on the open forum Pastebin that more attacks are planned.

"We have already stated that removal of the offensive video ... from YouTube is the simplest solution to stop the cyber-attacks," the group stated in the post. "The United States must still pay because of the insult."

In its post, the hacktivist group took credit for targeting eight financial-services firms - Regions Bank, M&T Bancorp, Union Bank, Principal Financial Group, Ameriprise Financial, State Street Corp., RBS Citizens Financial Group Inc. [dba Citizens Bank] and Wells Fargo & Co. - as well as others in the last week.

"We're seeing that the [hacktivist] attacks are being directed against some FIs [financial institutions] that are smaller than the FIs targeted in the first two phases, including insurance and investment companies," Garcia says.

Variations in the attacks and the targets also were noted during phase 2 of the hacktivist campaign, which ended in late January, says Rodney Joffe, a senior technologist for online security provider Neustar Inc.

In the first phase, which ran from mid-September to mid-October, only top-tier institutions, such as JPMorgan Chase & Co. and Bank of America, were targeted. During the second phase, the attacks started hitting mid-tier banks and some credit unions, which led some experts to suspect the hacktivists' botnet, known as Brobot, may have been leased by other groups.

That suspicion was further fueled in March, when Brobot was identified in DDoS attacks aimed at online-gaming sites.

"If the group executing the attacks is truly for hire, I would not be surprised if the 'normal' financial criminals have reached out and are offering some additional revenue incentives [to see] if they can piggy-back on the attacks as a cover for activities they're more interested in," such as the theft of data or intellectual property and financial fraud, Joffe says.

Fraud Concerns Rise

So far, the attacks linked to Brobot have not been linked to fraud, experts say. But concerns about fraud and other malicious intents are mounting.